How to configure and utilize PI API 2016 and Windows Integrated Security to replace trusts

We have a PI system with two Data Archive servers in a collective in Domain A and redundant Interface servers in Domain B. There is no trust between the two domains. Does this mean that we have to consider the Interface servers as they where in a Workgroup instead of a domain?The Data Archive servers are running Windows Server 2008 R2 SP1 and the Interface servers are running Windows Server 2012 R2.The Data Archive is version 2016 R2.

In domain A we have administrator accounts (AD accounts) mapped to a PI_ADMIN Identity and service accounts (AD ccounts) mapped for running Interfaces and Buffer subsystem in that domain and they are mapped to a PI Identity PI_INTERFACES_RW.

In Domain B we also have administrator accounts (AD accounts) and they are supposed to be used for configureing the ICU. We also have a service account (AD account) to run the Intercaes and Buffer Subsystem.

We want to avoid using PI Trusts to be able to send data from Interface servers to DA servers. This can be done by using the PI API 2016 and Windows Integrated Security, but we have some questions though we have tried to read and understand the articles AL00309, KB00354 and KB01457:

Which extra local accounts (if any) should be created on Interface servers and/or DA servers and to?

Can Windows Credential be used and how should it be configured?

The questions goes for both administration using the ICU and running Interfaces and Buffer subsystem as services.

If we use PI API 2016 on the Interface servers, how wil it affect the Data Archve servers? Right now some of the Interfaces delivering data to th DA servers are still using trusts

Look at the section "Buffering cannot open or create the API Shared Memory".

Sometimes this happens when you have some PI related services running, or PI programs running, on the machine where you are configuring buffering. These programs hold the API buffer open so that you can't restart the buffer properly.

Regarding Credential Manager, I agree that if you have the same local user and password on both machines, you should not need to use Credential Manager.

I think the KB has all the info you need, though let us know if you have any follow up questions.

Upgrading a client application to use PI API 2016 should not affect the PI Data Archive. PI API 2016 connection can be authenticated via PI Trusts as well as PI Mappings. (This is incorrect see my reply below. Leaving the original message).

So I should install PI API 2016 on the Interfcae server and then I can use Windows Integrated Security and Windows Credential Manager? > Yes that's correct.

But I still have to create local user accounts on my PI servers which I then point to from the Windows Credential Manager on the Interface servers? > Yes that is also correct. The examples in the KB I provided go through the details.

I am facing the same issue with my deployment right now, i have now understood all about windows credential manager and how it is used.

I have only 1 question that i'd like to clarify - Will PI buffer subsystem be able to buffer data to both members of collective? Do i need to map the interface service account to both primary and secondary PI Data Archive service accounts or mapping only to Primary member will work? Both members of collective are in the same domain.

You will need to run your interface under a local or domain B account. Then log in as that user, and store the credentials for the service account(s) in domain A in Windows Credential Manager. When the interface attempts to connect to the PI server on domain A, it should try to use the stored credential. The procedure is in KB01457.

You do not need PI API 2016 on your Data Archive servers, unless you are running PI interfaces or other applications there that require them. The core PI DA services do not use them, but interfaces like Perfmon and Ping do use PI API/SDK.

As others have mentioned, you only need to install the PI API with Windows Integrated security on the nodes that will run API applications connecting to the PI Data Archive.

Important note: PI API 2016 does not support PI trusts and explicit logins. Before upgrading to PI API 2016, you must first configure PI mappings to replace any existing PI trusts or explicit logins on PI API. To configure a PI mapping, you will need a Windows logon or service account for the PI API application.

That being said, you will be able to use local accounts (same credentials) once the PI API is upgraded.You can also, as Steve mentioned, run the service as a domain account from the PI Data Archive domain. Using the Windows Credential Manager, you can have the service in DomainA (interfaces) connect to the PI Data Archive as an account from DomainB (PI Data Archive). You can configure the Windows Credential manager for a service account. KB01457 goes through the steps on how to do it for a service account that is not the running user.

Look at the section "Buffering cannot open or create the API Shared Memory".

Sometimes this happens when you have some PI related services running, or PI programs running, on the machine where you are configuring buffering. These programs hold the API buffer open so that you can't restart the buffer properly.

Regarding Credential Manager, I agree that if you have the same local user and password on both machines, you should not need to use Credential Manager.